Field of the Invention
The present invention relates to an information processing system, a method of controlling the information processing system, and a program. In particular, the present invention relates to security policy technologies between devices in a network environment.
Description of the Related Art
Recent multifunction peripherals (MFPs) are equipped with a function of connecting to a network to provide a file service to a personal computer (PC), other MFP, etc. Specifically, recent MFPs include a server function similar to that of a file server or an authentication server existing on a network. Meanwhile, PCs and servers connected to office networks are required to operate according to a security policy determined for each office. The security policy refers to a basic policy of an entire organization that relates to security, security standards, individual procedures, etc. Thus, MFPs having a server function are also required to operate according to the security policy.
Port control of a network service or communication service (hereinafter, “service”) is one of the security policies of devices having a server function. The service includes the Line PRinter daemon protocol (LPR), Internet Printing Protocol (IPP), File Transfer Protocol (FTP), etc. A port is a gateway for communication data between a service and an external apparatus, and a unique port number is set for each service. In other words, the port number can be said as identification information for the identification of the service. Predefined port numbers are set, e.g., No. 515 for LPR, No. 631 for IPP, No. 21 for FTP, etc. Meanwhile, the service often has protocol or implementation vulnerability. Thus, in order to prevent emergence of vulnerable elements, port control is commonly performed to close a port usable in a service that is not in use. Further, some of the recent MFPs are equipped with a firewall function in which arbitrary network communication is permitted or prohibited based on information about a destination address, a source address, a port number, a protocol, etc. In the firewall function, all kinds of information such as a destination address, etc. are manually set by using a filtering rule setting screen, etc.
Meanwhile, some of the foregoing types of MFPs provide not only pre-installed services but also a system for post hoc installation of an expanded application to add a service after the shipment of the MFP, in order to satisfy various client needs. An expanded application is an application (program (hereinafter, the application will be referred to as “AP”)) that is installed post hoc. For example, there are cases where an expanded AP has a server function and performs a print service by using a unique port other than a port preset to the MFP. The security policy is desirably maintained even in the cases where an expanded AP is installed post hoc.
In relation to the foregoing point, Japanese Patent No. 4959425 discusses an information processing apparatus in which a security level is preset and in a case where an expanded AP is installed post hoc, a forced rule corresponding to the security level can be held in advance in the expanded AP. The information processing apparatus holds definitions of setting values corresponding to the security level, so that an operator can set security-related setting values by simply designating the security level.
However, in the information processing apparatus discussed in Japanese Patent No. 4959425, the setting values are set according to ports used by pre-installed services. This makes it difficult to flexibly control port of an expanded AP which is installed post hoc. Furthermore, in a case where a firewall function is used, although it is possible to perform control on an arbitrary port, it is difficult to determine in advance a port that is to be used by an expanded AP. This gives rise to a problem that it takes time to properly restrict the use of a port or that an inappropriate security policy is set. These problems commonly occur in not only MFPs but also information processing apparatuses capable of communicating with an external apparatus.